New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for ESXi #116
Comments
Hi Kasey, contributions are always welcome 🙏
I think we need to see if we just need to adapt a few things or if we should create a specific ESXi baseline. Do you already have some ideas about required changes?
…Sent from my iPhone
On 13. Jun 2019, at 13:56, Kasey Linden ***@***.***> wrote:
Is your feature request related to a problem? Please describe.
I would like to use Inspec to validate the configuration of ESXi
Describe the solution you'd like
Utilizing Inspec validate that a ESXi system is hardened appropriately.
Describe alternatives you've considered
Looked into create SCAP content. This looked very painful.
Additional context
Ideally I would like to create this for DISA STIGs eventually.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
I haven't yet since I am just getting into using inspec. I saw that there was an inspec-vmware module being developed, but further development on it was stopped and instead power-cli will be used. The little documentation that I have read so far on this has been confusing. I'm not sure if there is a plugin to run powershell/powercli commands and then validate the output or if you literally just need to run a command. Some of the ESXI controls will just be standard linux checks such as Thoughts? |
I suppose there should actually be a esxi-baseline project instead. What I originally came to the linux-baseline project for was to create an issue to support Photon OS, but then decided ESXi should be done first. |
@kclinden I agree, with your assessment. First InSpec needs to support the basic platform detection in train. Once that is in place, it should work as expected. I have not played with ESXi since a while but InSpec should have support for that. Therefore building a baseline for that is a great idea. Just create a new baseline and reuse the old PowserCLI resource from https://github.com/chef-boneyard/inspec-vmware. If you want to contribute the baseline to devsec, please let me know. I am not sure how far InSpec is in regards of PhotonOS support. That sounds interesting. Are you using it for K8s deployments? |
Here is my draft profile for the latest ESXi 6.5 STIG. I have done a first pass on a large portion of the PowerCLI based checks. The rest will be SSH, and it sounds like they would have to be in a different profile since it will require a different transport method. How do I contribute this profile to dev-sec, and continue to work on it there? |
Is the link missing? Should we close this in favor of dev-sec/dev-sec.github.io#46? |
I would say this one can be closed, and yep I forgot the link! Here you go - https://github.com/kclinden/esxi-65-stig-v1r1 |
Thank you @kclinden |
Is your feature request related to a problem? Please describe.
I would like to use Inspec to validate the configuration of ESXi
Describe the solution you'd like
Utilizing Inspec validate that a ESXi system is hardened appropriately.
Describe alternatives you've considered
Looked into create SCAP content. This looked very painful.
Additional context
Ideally I would like to create this for DISA STIGs eventually.
The text was updated successfully, but these errors were encountered: